• Journal of the Korea Institute of Military Science and Technology
• /
• v.26 no.2
• /
• pp.179-187
• /
• 2023

APT cyber attacks have been a problem for over a past decade, but still remain a challenge today as attackers use more sophisticated techniques and the number of objects to be protected increases. 'Cyberattack Tracing System' allows analysts to find undetected attack codes that penetrated and hid in enterprises, and to investigate their lateral movement propagation activities. The enterprise is characterized by multiple networks and mass hosts (PCs/servers). This paper presents a data processing procedure that collects event data, generates a temporally and spatially extended provenance graph and cyberattack tracing paths. In each data process procedure phases, system design considerations are suggested. With reflecting the data processing procedure and the characteristics of enterprise environment, an operational architecture for CyberAttack Tracing System is presented. The operational architecture will be lead to the detailed design of the system.

• Journal of the Korean Operations Research and Management Science Society
• /
• v.28 no.4
• /
• pp.131-143
• /
• 2003

In this paper, we present a survey about the various graph partition problems including the clustering problem, the k-cut problem, the multiterminal cut problem, the multicut problem, the sparsest cut problem, the network attack problem, the network disconnection problem. We compare those problems focusing on the problem characteristics such as the objective function and the conditions that the partitioned clusters should satisfy. We also introduce the mathematical programming formulations, and the solution approaches developed for the problems.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.34 no.3
• /
• pp.417-430
• /
• 2024

As modern technology advances and the proliferation of the internet continues, cyber threats are also on the rise. To effectively counter these threats, the importance of utilizing Cyber Threat Intelligence (CTI) is becoming increasingly prominent. CTI provides information on new threats based on data from past cyber incidents, but the complexity of data and changing attack patterns present significant analytical challenges. To address these issues, this study aims to utilize graph data that can comprehensively represent multidimensional relationships. Specifically, the study constructs a heterogeneous graph based on malware data, and uses the metapath2vec node embedding technique to more effectively identify cyber attack groups. By analyzing the impact of incorporating topology information into traditional malware data, this research suggests new practical applications in the field of cyber security and contributes to overcoming the limitations of CTI analysis.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.13 no.11
• /
• pp.5731-5754
• /
• 2019

In this paper, we redesign, implement, and evaluate ShareSafe (Based on SecGraph), an open-source secure graph data sharing/publishing platform. Within ShareSafe, we propose De-anonymization Quantification Module and Recommendation Module. Besides, we model the attackers' background knowledge and evaluate the relation between graph data privacy and the structure of the graph. To the best of our knowledge, ShareSafe is the first platform that enables users to perform data perturbation, utility evaluation, De-A evaluation, and Privacy Quantification. Leveraging ShareSafe, we conduct a more comprehensive and advanced utility and privacy evaluation. The results demonstrate that (1) The risk of privacy leakage of anonymized graph increases with the attackers' background knowledge. (2) For a successful de-anonymization attack, the seed mapping, even relatively small, plays a much more important role than the auxiliary graph. (3) The structure of graph has a fundamental and significant effect on the utility and privacy of the graph. (4) There is no optimal anonymization/de-anonymization algorithm. For different environment, the performance of each algorithm varies from each other.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.5
• /
• pp.1079-1090
• /
• 2012

As the number of information asset and their vulnerabilities are increasing, it becomes more difficult for network security administrators to assess security vulnerability of their system and network. There are several researches for vulnerability analysis based on quantitative approach. However, most of them are based on experts' subjective evaluation or they require a lot of manual input for deriving quantitative assessment results. In this paper, we propose HRMS(Hacking and Response Measurement System) for enumerating attack path using automated vulnerability measurement automatically. HRMS can estimate exploitability of systems or applications based on their known vulnerability assessment metric, and enumerate attack path even though system, network and application's information are not fully given for vulnerability assessment. With this proposed method, system administrators can do proactive security vulnerability assessment.

• Journal of Communications and Networks
• /
• v.15 no.4
• /
• pp.407-410
• /
• 2013

Secret sharing is that a dealer distributes a piece of information (called a share) about a secret to each participant such that authorized subsets of participants can reconstruct the secret but unauthorized subsets of participants cannot determine the secret. In this paper, an access structure can be represented by a label graph G, where a vertex denotes a participant and a complete subgraph of G corresponds to a minimal authorized subset. The vertices of G are labeled into distinct vectors uniquely determined by the maximum prohibited structure. Based on such a label graph, a verifiable secret sharing scheme realizing general access structures is proposed. A major advantage of this scheme is that it applies to any access structure, rather than only structures representable as previous graphs, i.e., the access structures of rank two. Furthermore, verifiability of the proposed scheme can resist possible internal attack performed by malicious participants, who want to obtain additional shares or provide a fake share to other participants.

• Convergence Security Journal
• /
• v.22 no.3
• /
• pp.87-99
• /
• 2022

Cyber attacks have become more difficult to detect and track as sophisticated and advanced APT attacks increase. System providence graphs provide analysts of cyber security with techniques to determine the origin of attacks. Various system provenance graph techniques have been studied to reveal the origin of penetration against cyber attacks. In this study, we investigated various system provenance graph techniques and described about data collection and analysis techniques. In addition, based on the results of our survey, we presented some future research directions.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.24 no.5
• /
• pp.567-575
• /
• 2020

As online social networks are used as a critical medium for modern people's information sharing and relationship, their users are increasing rapidly every year. This not only increases usage but also surpasses the existing media in terms of information credibility. Therefore, emerging marketing strategies are deliberately attacking social networks. As a result, public opinion, which should be formed naturally, is artificially formed by online attacks, and many people trust it. Therefore, many studies have been conducted to detect agents attacking online social networks. In this paper, we analyze the trends of researches attempting to detect such online social network attackers, focusing on researches using social network graph characteristics. While the existing content-based techniques may represent classification errors due to privacy infringement and changes in attack strategies, the graph-based method proposes a more robust detection method using attacker patterns.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.3
• /
• pp.527-545
• /
• 2022

In order to effectively detect APT attacks performed by well-organized adversaries, we implemented a system to detect attacks by reconstructing attack chains of APT attacks. Our attack chain-based APT attack detection system consists of 'events collection and indexing' part which collects various events generated from hosts and network monitoring tools, 'unit attack detection' part which detects unit-level attacks defined in MITRE ATT&CK^® techniques, and 'attack chain reconstruction' part which reconstructs attack chains by performing causality analysis based on provenance graphs. To evaluate our system, we implemented a test-bed and conducted several simulated attack scenarios provided by MITRE ATT&CK Evaluation program. As a result of the experiment, we were able to confirm that our system effectively reconstructed the attack chains for the simulated attack scenarios. Using the system implemented in this study, rather than to understand attacks as fragmentary parts, it will be possible to understand and respond to attacks from the perspective of progress of attacks.

• KIPS Transactions on Computer and Communication Systems
• /
• v.2 no.12
• /
• pp.533-540
• /
• 2013

Anonymity is the one of main reasons for substantial improvement of Internet. It encourages various users to express their opinion freely and helps Internet based distributed systems vitalize. But, anonymity can cause unexpected threats because personal information of an online user is hidden. Especially, distributed systems are threatened by Sybil attack, where one malicious user creates and manages multiple fake online identities. To prevent Sybil attack, the traditional solutions include increasing the complexity of identity generation and mapping online identities to real-world identities. But, even though the high complexity of identity generation increases the generation cost of Sybil identities, eventually they are generated and there is no further way to suppress their activity. Also, the mapping between online identities and real identities may cause high possibility of losing anonymity. Recently, some methods using online social network to prevent Sybil attack are researched. In this paper, a new method is proposed for extracting a user's system-wide Sybil-resistant trust value by using the properties embedded in online social network graphs. The proposed method can be categorized into 3 types based on sampling and decision strategies. By using graphs sampled from Facebook, the performance of the 3 types of the proposed method is evaluated. Moreover, the impact of Sybil attack on nodes with different characteristics is evaluated in order to understand the behavior of Sybil attack.